Restrict API Access

2021-12-25 15:36:43 +00:00 · 2021-12-25 15:36:43 +00:00 · 4f1e486e56
parent 328780e2d4
commit 4f1e486e56
2 changed files with 36 additions and 1 deletions
--- a/powerdnsadmin/decorators.py
+++ b/powerdnsadmin/decorators.py
@ -367,6 +367,39 @@ def apikey_can_configure_dnssec(http_methods=[]):
        return decorated_function
    return decorator

+def allowed_record_types(f):
+    @wraps(f)
+    def decorated_function(*args, **kwargs):
+        if g.apikey.role.name in ['Administrator', 'Operator']:
+            return f(*args, **kwargs)
+
+        records_allowed_to_edit = Setting().get_records_allow_to_edit()
+        content = request.get_json()
+        for record in content['rrsets']:
+            if record['type'] not in records_allowed_to_edit:
+                current_app.logger.error(f"Error: Record type not allowed: {record['type']}")
+                abort(401)
+        return f(*args, **kwargs)
+
+    return decorated_function
+
+def allowed_record_ttl(f):
+    @wraps(f)
+    def decorated_function(*args, **kwargs):
+        if g.apikey.role.name in ['Administrator', 'Operator']:
+            return f(*args, **kwargs)
+
+        allowed_ttls = Setting().get_ttl_options()
+        allowed_numric_ttls = [ ttl[0] for ttl in allowed_ttls ]
+        content = request.get_json()
+        for record in content['rrsets']:
+                if record['ttl'] not in allowed_numric_ttls:
+                    current_app.logger.error(f"Error: Record TTL not allowed: {record['ttl']}")
+                    abort(401)
+        return f(*args, **kwargs)
+
+    return decorated_function
+

 def apikey_auth(f):
    @wraps(f)
--- a/powerdnsadmin/routes/api.py
+++ b/powerdnsadmin/routes/api.py
@ -30,7 +30,7 @@ from ..decorators import (
    apikey_can_create_domain, apikey_can_remove_domain,
    apikey_is_admin, apikey_can_access_domain, apikey_can_configure_dnssec,
    api_role_can, apikey_or_basic_auth,
-    callback_if_request_body_contains_key,
+    callback_if_request_body_contains_key, allowed_record_types, allowed_record_ttl
 )
 import secrets
 import string
@ -1060,6 +1060,8 @@ def api_zone_subpath_forward(server_id, zone_id, subpath):
@api_bp.route('/servers/<string:server_id>/zones/<string:zone_id>',
              methods=['GET', 'PUT', 'PATCH', 'DELETE'])
@apikey_auth
+@allowed_record_types
+@allowed_record_ttl
@apikey_can_access_domain
@apikey_can_remove_domain(http_methods=['DELETE'])
@callback_if_request_body_contains_key(apikey_can_configure_dnssec()(),